Partitioning Aggregation
With IdentityIQ version 8.1 Patch 4, 8.2, or 8.0p5, auto partitioning can be performed by going to Configuration > Settings > Account and selecting the Allow Auto Partitioning checkbox. For more information, refer to Account and Group Settings.
Configuring partitions manually
The Active Directory connector supports the Partitioning Aggregation feature to enable faster retrieval of Active Directory data.
In the Active Directory connector, data can be partitioned by specifying a searchDN
and/or a searchFilter
as a partition entry. The The Active Directory connector partition entries are the application configuration searchDNs list with each entry of the list treated as a single partition.
Typically, for a container-based partitioning of data, define the searchDNs or partition list as follows:
<entry key="searchDNs">
<value>
<List>
<Map>
<entry key="searchDN" value="ou=test1,DC=test,DC=sailpoint,DC=com"/>
<entry key="iterateSearchFilter" value="(&(objectclass=user) )"/>
<entry key="searchScope" value="SUBTREE"/>
</Map>
<Map>
<entry key="searchDN" value="ou=test2,DC=test,DC=sailpoint,DC=com"/>
<entry key="iterateSearchFilter" value="(&(objectclass=user) )"/>
<entry key="searchScope" value="SUBTREE"/>
</Map>
</List>
</entry>
And for filter-based partition, define the searchDNs list or partition list as follows:
<entry key="searchDNs">
<value>
<List>
<Map>
<entry key="searchDN" value="DC=test,DC=sailpoint,DC=com"/>
<entry key="iterateSearchFilter" value="(&(objectclass=user)(sn=a*))"/>
<entry key="searchScope" value="SUBTREE"/>
</Map>
<Map>
<entry key="searchDN" value="DC=test,DC=sailpoint,DC=com"/>
<entry key="iterateSearchFilter" value="(&(objectclass=user) (sn=b*))"/>
<entry key="searchScope" value="SUBTREE"/>
</Map>
</List>
</entry>
As seen above, in the first example, the OUs on which the search is performed are different although the searchFilter
is the same. Whereas, in the second partitions entry, the OUs are same, but the iterateSearchFilter
values are different. Since the required key values are similar, you could have both the above examples coupled together into the application configuration of a single Active Directory Connector application. Active Directory Connector combines the searchDN
value and the iterateSearchFilter
value and considers it as the partition context, avoiding any additional required configurations.
Note
Each of the partitions specified must be unique by way of the searchDN
value or the iterateSearchFilter
value. If not, the first partition is aggregated skipping the subsequent duplicate ones.
When there is no defined partition list, the aggregation executes over the baseDN
and the iteraterSearchFilter
only, even though the task definition has partitioning enabled. Similarly, with a partition list defined and partitioning is not enabled on the task definition, IdentityIQ retrieves data from each searchDN
entry in a sequential manner.